Posted
by
CmdrTaco
on Sunday August 05, 2001 @08:11AM
from the something-to-think-about dept.

An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.

The sole reason that Passport is being pushed forward, is to minimise the number of logons and password that a user needs to remember; so we store them in one location!
Wouldn't be more secure to have multiple logons (for each service provider) that are exactly the same? Sure there would be a security problem if someone happens to know my logon and my password, but there is a lesser chance of them having access to all my details, because they have to logon for every single service individually.

I found the following from the paper to be very pertinent: "The centralized service model is antithetical to the distributed nature of the Internet that has made it so robust and so popular."

sasha328 the P2P movement is certainly an alternative.
Look at what AOL has done:
1) They own the portal as an ISP with millions of users;
2) They own the digital content (Warner Bros., Atlantic Records, etc.);
3) Now they've decided to control the delivery of that content before P2P does it for them.
More at:
http://wavxtek.tripod.com/AOL_and_DVI.pdf

The single-signon mechanism is housed on a central MS server. So someone like IBM would have to send a redirect to the browser with the URL of the Passport login page. From my understanding of the article, all of the communication between Passport and IBM would happen through the client. The client is the medium of communication between Passport and the vendor. Please correct me if I am wrong.

Or to be more specific Microsoft Internet Explorer 5 is the only valid communication mechanism between the vendor and Microsoft. Microsoft worldwide empire is going to be built on redirects and cookies?!??! Dear God, please deliver us from this insanity.

Why not say to each vendor, here's drop this Box in your network, use it as your authentication, will setup some sort of super encrypted VPN between your network and ours and we'll provide real-time authenitcation. Why not? Because it is too easy, and it doesn't TRAP THE CONSUMER INTO OUR INCREDIBLY INVASIVE SOFTWARE.

What about browsers that don't accept redirects? I know, I know, it's 2001, people should be using modern browsers, but what about people with old computers. I mean, maybe I'm just wrong, but if you are say Barnes and Noble or Ford ( whatever? ), why would you hand over your security concerns to Microsoft?!? After such high profile security explosions such as CodeRed, and now the CodeRed II which is MUCH MUCH WORSE because now everybody who has read Slashdot today has root privileges on every box that has been compromised. ( Be good, people. Be good. )

The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS [xns.org] or other open source single signon systems. However, I believe they are missing an important piece.

This is important because users tend to pick poor (guessable) user names and passwords...

Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article [slashdot.org] that discussed how the average person tends to do a poor job of picking a secure password.

Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.

These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.

However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.

Bah, none of these single signon systems for me.
I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!

Once agian Ms boasts a new "protocol" or implementation of software that relies on one, and once agian it is proven insecure. I find it not surprising though. How can I or any of us for that matter, think that something aimed toward making authentication easier, coming from MS, would actually make things better? Oh surely mure, the atypical weblite user is going to find this a great and a wonderful "time saver", while the rest of us who give a sh*t about information security end up finding ways to publicize its' flawed security model, in desperate attempts to keep something that may end up forcing into its' use from monopolistic tactics upon us, from being so problematic. Thanks MS...

I think it would work better... it solves ALL problems listed except for poor passwords. However, the "average" user will never remember a password that is any good - and will demand some "remember my login" feature. This combination ensures INsecurity. Until people are willing to remember a short (6+) character sequence, and are willing to type it in (and change it periodically, there can be no good security (using passwords).
The main disadvantage to kerberos is that most browsers do not inherently support it - you need plugins and sometimes a completely separate application.

We pointed out this flaw to Microsoft. Microsoft indicated they were already aware of the flaw, and it was fixed that same day.

So, they had been aware of the flaw, but did nothing about it untill it was publicly known? Call me paranoid, but how about this: Exploits are OK as long as they are known only to Microsoft people? Are they leaving some easter eggs so that a bunch of MS employees can gain access to other people's information and money?

It's bad enough that so many untrustworthy commerce sites are out there, running broken versions of MS web servers. Now we are supposed to have microshit as a "trusted" third party for all our commerce and authentication. No way Jose. My webshoppin days est fini. I'll be usng the phone from now on.

This is a very hairy deal, which proves that it was not written by some slick moneygrabbing M$ two piece suit with no concept of that quality software is!;-)
(you need to read through the article to the bottom to understand that)

I am not a crypto wizard to understand all the article. But I believe the main purpose of Passport was the necessity either to keep a lot of different passwords or to have a center that authentifies a person using the single password.

I believe that it's possible to keep a lot of different random passwords in any hardware device attached to computer thus avoiding most problems. The device may be the special keyboard (for instance, with magnetic, chip or proximity card reader), the standalone card reader or, preferably, USB key attached to the USB port that is present everywhere now (For USB challenged people there is a FDD). Of course, the device should be supported with some device-independent open-source protocol (Or we shall not trust it).

But I believe that Microsoft needs Passport NOT for our benefits, but for benefits of Billy's pockets and so Password will be pushed into our throats leaving all non-M$ aside.

Well, I agree with the artical that there are an abundance of problems with passport, its truly unfortunate that it could not be done better/independently. The idea of Passport seems like a great one that could indeed help users, and make them more secure. As the artical states most users use bad, and repeating passwords. Something like this would probably make those people more secure in the the long run. as the acutal vendor would not have access to the persons password. Unfortunatly it is deeply flawed. Oh well maby some "open" project will emerge, and provide a better verson of passport.

There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.

I found this [madasafish.com], which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.

Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).

Maybe something like this will be discussed at JabberCon [jabbercon.com].

We need something just like passport which acts a more like kerberos. Where the server gives authentication tickets that expire, like cookies but it is not done via a redirect. If say, te third party client could do the request on their behalf, it wouldn' tbe as bad.

Another option would be different passwords for different uses. Of course my email password might be a little easier than say, the password for stuff i use my credit card number. Better yet, I might actually want to use a different password for everything. An option similar to RSA/DSA keys used with SSH. You don't need to use the key pasword you set on the server, but can use the password you used to create a particular keypair.

Naw, we should be using a Jabber-like program with a couple of differences. For instance, do away with the XML, it is an unnecessary complication.

I really dislike the Jabber project for many reasons, a couple of which are simply the unexplainable "bad vibe" kind of things. I think much of it is needlessly complicated, using an ineligant solution to a really rather simple problem. The fact that it too so long to become stable is testament to this, I believe. It should have taken about a month from beginning to end with a team of four.

Parsing XML isn't as bad as you think, especially with the availability of libraries. Understanding the protocol is loads easier when everything you get is plaintext XML. I think this is one of the positive sides to Jabber.

As an open source project, you should understand why it has taken them so long. Developing a client is one thing, but developing an IM system takes much more work. Compare it to writing the first mail server.

Anyway, it's much more mature today than ever. The main faults are: lack of good clients (which I am trying to fix [affinix.com]), and transport instability. The instability generally comes from IP blocks by AOL to the jabber.org server. This can be solved by simply running your own server, which is the whole point of Jabber anyway.

At this point in time, my day-to-day IM consists of a private Jabber server, the AIM and ICQ transports, and the client I wrote. It's a proven system at this point. I say we run with it, rather than try to create something new again.

First of all, the article seems to have a point (although I am not a computer security expert). Particularly, the redirects inolving HTTP and DNS tricks are already popular compromises. Therefore, Passport is indeed insecure.

What makes stuff worse is that (unlike most other web-based authentication systems), Passport is going to be used massively by thousands of online dealers. Think about what would happen if Amazon were compromised. Passport break-in would be worse, since all of the Amazons of the world will grow to rely on it.

So the real problem with Passport is that it is going to be used so widely; it is a valid small-scale solution (where the profit from compromising such a service is minimal), however it does not scale well when we talk about millions of users spending billions of dollars. I just hope that Passport will not be used by serious retailers, if we ever want to have some semblance of security and privacy.

Although I don't know much about the design decisions involved in implementing passport, I don't see why they don't use a zero-knowledge protocol (ZKP). Basically a ZKP is a way for Alice to prove to Bob that a certain claim, C, is true. Furthermore, under certain assumptions (e.g. factoring is hard, graph-isomorphism is hard, etc.) you can prove that Bob doesn't learn anything beyond the fact that C is true.

How would this be used for authentication? I generate an instance of a hard problem, P, along with a claim, C, which I only I can prove. I publish (P,C) as a type of public key.
If I want to prove to slashdot or Hotmail that I am me, I use a ZKP to prove C thus authenticating myself. Since I used a ZKP, even though slashdot now knows C is true, slashdot doesn't know how to prove C itself. So slashdot can't pretend to be me when talking to Hotmail (unless slashdot can factor or solve my chosen hard problem).

Some benefits of using a ZKP include:

I only need to log into my computer with
a single passphrase and then my computer
can use a ZKP to convince all the other
web sites of my identity.

The system is provably secure under certain
assumptions.

No central authentication server has a list
of passwords or other information it can
use to impersonate me.

Since no central authentication server is
necessary, the authentication prover (i.e.
the program that runs on my computer to
prove who I am) and the authentication
verifier (i.e. the program that runs on
slashdot to check my identity) could be
implemented by different companies. Thus
you could use an open source prover with
an MS verifier allowing interoperability.

So my question is why doesn't MS use a zero-knowledeg protocol to implement passport? Is this type of idea patented, or are there are other issues such as security, speed, etc.? I'm not trying to bash MS since I know that they have some pretty smart people there I'm just trying to find out why they didn't use ZKP.

I suspect the answer is because a ZKP based system would probably be easy to clone by open source people or other companies. On the other hand, passport seems to give them significant business advantages at the cost of security, interoperability, elegance, etc.

If found this following quote interesting: "Presumably, the Hotmail logout button is used to remove the Hotmail credentials, while the Passport signout button is used to remove the Passport credentials to all services. While this may be clear to computer security experts, it is unlikely that the average non-expert computer user will understand the distinction."

This is a bit unusual; most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.

Who wants to place bets on how long it will take before somebody starts harvesting ID's from the local libraries?

Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.

Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.

Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.

But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.

To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced.

I don't think that's true. There is a redirect through Passport for every site the user visits, and both the grocery store and the online stock broker has registered its own key with Passport.

You can only use a cookie set by Passport for one single site, and the grocery store can't use the authentication token you used to access its site to impersonate you at your online stock trader, because that token has to be encrypted in the stock trader's key (which the grocery store doesn't have).

That said, you make a valid point too: what you get in return for locking your grocer out of your stock account is the little fact that Microsoft is now able to access all your accounts. Because they have all the keys.

Yes, some sites use Passport now, but soon, many many sites may be using it in combination with Hailstorm. This posses more problems as well. More users will be using it. They will have to use it more often. More data will be stored accessible with a Passport login.

Many people agree that this is the start of Microsoft's goal of "collecting a toll on every transaction on the internet". As others have suggested, upcoming versions of MS server software will make it easier and easier to use Passport when building web services. At the same time, they will make it harder not to use it... Adding more hoops to go through to set up something else... Like how they are removing Java from XP: one more hoop to to through to run Java.

As you can see, any security flaws in Passport could become a huge problem. Couple this with things like Sircam and CodeRed worm, and you have something that could drain bank accounts and do stock trades for you.

ObNote: Social Security Numbers were not originally intended to be used for identification purposes. If you find an old enough Social Security Card, it will even say that on it.

Now, personally, I don't want an 'internet' that makes me use Passport if I want to access certain sites. Sure, if I'm accessing various MS supported sites, I can understand it being there, but I still don't like it. What I can't stand is the MS attitude of making their products 'required' and shutting out everyone else. Sure, some people might just call it good business sense on the part of MS, but let's face it, with as much market share for OS's that they have, it's just another continuation of monopolistic practices.

It's OK to have a monopoly (at least it's legal). The problem is that MS is guilty of abusing it's monopoly in a CRIMINAL manner. We don't let felons vote but we let criminal corporations continue to perpetuate their crimes.

At this point other then taking the law into our hands there is not much anybody can do. It's clear the justice system is corrupted to the core and refuse to punish MS for it's crimes in a significant way.

I agree that the time to whine is over it's time to do something. Maybe go see what the going price on fertilizer is and rent a Rider. It's the only thing that can even hope to stop MS from committing it's crimes.

The corporation is guilty and should be punished. The punishment for this ought to be dissolving of the corporation and seizure of it's assets. The executives are guilty because it was they who made the decisions and used the corporation to commit crimes they should be jailed. The shareholders are guilty because they did not restrain their corporation and did not exercize their duty monitor and influence their corporation. The executives were serving the shareholders after all. They will be punished when the assets of the corporation are seized and the value of their shares go to zero.

Now maybe a small minded stupid fuck thinks that this is rich envy but that's because the idiot apparently thinks that all rich people commit crimes. Or maybe the moron is incapable of understanding that the legal system has already determined that these people acted in a criminal manner. Perhaps the dimwit thinks it's wrong to punish criminals who are rich because "they commit less crimes then any random 10,000 people" but I hope to god stupid shitheads like that never get in power. We in this country already let the Rich get away with murder.

Are you aware that there are multiple people posting to slashdot? Just because two conflicting opinions were posted to the same forum, it does not follow that both opinions are (A) held by the same person; or (B) "the party line".

I didn't know all this about passport, but it has great resemblance with paypal. The bogus site exploit has been done there as well.

The difference between paypal and microsoft merely is the fact that passport is not intended for micropayments, as I believe that ms will mostly focus on the b2b market.

For micropayments, Paypal [paypal.com] has low risk because they have taken a mix of all sorts of measures. An ex-FBI agent is in charge of two or three fraud detection teams, their "IGOR" system is an automated fraud detection system. Because the wallet contains such small amounts of money, the loss risk is therefore much smaller than if you'd use big amounts - necesary for b2b transactions.

I do notice the resemblance between PP and MS that they are dealing with the same security problems, perhaps this is why PP and MS are collaborating. When MS chooses not to work with micropayments, my guess is that they could get a lot of security problems, not only the ones written in the article, also the securite problems Paypal hasn't solved technically, but manually.

Passport can be as watertight as a duck's arse or as full of holes as a sieve for all I care. For me the only question is, why the hell would I choose Microsoft as my sole broker in the first place? - I haven't as far as I'm aware gone stark raving nuts yet!

It seems likely that some if not a lot of people are going to use the passport service outside of hotmail. It seems likely that some or a lot of them are going to regret it. While I don't wish those people any harm, they could be well the ones who bring this latest Microsoft ruse to a speedy end.

The new variant of Code Red might turn out to be the most damaging worm yet launched. That's happening today, while I'm writing this. My DSL connection will be hit a couple of times, in all probability, as I type this up.

That has to be the context of any discussion of passport.

Even well designed security fails. For that reason, if single choke point that will plunge the world into chaos if security fails is a bad idea. Passport is a bad idea.

The most important flaw isn't in the protocol, or in the fact that it's built on insecure services. A well designed passport type system would still be flawed, because it would present a single point of failure.

The fact that they want to do this at all proves that they're not thinking about security first.

MS has a track record of doing dumb things security wise because their business models demand them. They wanted to tie word and visual basic together so they opened up the world to the threat of macro viruses. They wanted to tie email and office together, so they made email systems that would run programs embedded in documents automatically if someone sends it to a MS user via the email.

These are not obscure problems, and they're not difficult to predict. You don't need to be a security guru to realize that they're trouble. MS did it anyway, because it was in their interest to do it. It wasn't in their customer's interests.

Passport isn't in anyone's interest by MS's. It's a bad design because it's centralized, because all of the eggs are in one basket. Most people want privacy. Most people want their credit card information to be secure. Most people want to control the information they give to various sites -- they don't want it passed around in the background, in the name of convenience.

Apart from all of that, it has to be pointed out that the company that's building and marketing passport has the worst record in computer security on the planet. By that I mean that MS security holes have cost more money -- billions and billions of dollars -- than any other company's security problems. How long did it take them to close the outlook macrovirus hole? How long was it obvious to everyone that it was a bad idea, before they closed it? Years. Why? Because they put their business model above their customer's security interests. And they're doing the same thing here.

Passport is a horrible idea. And even if it was a good idea, these are the last guys who should be trusted to build it.

The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:

https://www.passport.com/very/long/path@evilhacker.com

Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.

So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...

As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.

Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).

As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.

Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.

On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.

Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).

Nope. What you have there won't quite work. What you have before the "@" cannot contain literal slashes, among other characters. It can contain %-encoded entities, so you can put the slashes in that way ("%2F") -- most browsers translate this entity back to "/" when displaying the URL on hover.

Oh, and some browsers have already patched this "semantic attack [ebiz.co.za]."

It seems to me that the attacks listed are the same old attacks that most any system is vulernable to:

1. Confusion: many systems can confuse the end user. Slashdot could be one. How do you I logout? Can someone copy my login cookie and be me? Yeah, probably. This isn't a particularly new attack, do you think?

2. Key Management is the same problem that Verisign/Thawte have been faced with for a long time. How can we sure that the user/merchant is who he says he is? Its hard, for sure.

3. Central Point of Attack is again, a very real problem, but an old one. Any central database will face this, no matter what. More than anything, this discredits centralized logins, and by default, Passport. On the other hand, every little merchant will be under far less scruntiny in terms of security thanks to the central database.
4. Socially Engineered Attacks on Javascript/Cookies go back as far as, well, cookies and javascript. They are indeed bad technologies for secure uses, and using them here was naive at best. But the paper does point out that Javascript is not required.

5. Trust attacks are of coure relevant. Passport requiers a trust in the merchant who joined the program. Not much different from SSL, really.

6. Man-in-middle, DNS, etc attacks are also present, of course. This point didnt make much sense to me. The identical attack is present today. If i replace someones DNS records with a new entry for slashdot, then i can socially engineer their slashdot username/password. Passport makes this threat bigger and more real, especially on a company network where a bad employee could engineer some bad things.

I think the paper was really a re-hash of existing problems, and existing attack methods. The main difference is that instead of one or two applying to passport, they ALL apply to passport.

Centralized authentication would be nice, but not for the risk. But for certain, this paper didn't expose any new or unknown about Passport.

The biggest problem is with having one centralized database that the vast majority of users use. If there were 12 or 15 different implementations of the same scheme with different operating systems the problem lessens. Some of the methods of getting the information don't change no matter what you do but crack attempts are greatly complicated by having different implementations. A central repository will be the target of every black hat out there. Split it up and diversify it and any one of the schemes is less likely to be beaten. Use open protocols and operating systems, have lots of repositories and there is less danger to all. I personally think MS is crazy for wanting it all on their servers. When they get hacked it will be the single biggest computer news story ever. I don't think any software company, no matter what their advertising and lobbying budget is will be able to withstand the backlash of public opinion. Senators and Congressmen use hotmail too or if they don't family members do.

"its not lame anti ms rhetoric"
Is this supposed to suggest that other MS articles that are posted to/. *ARE* "lame anti ms rhetoric"?
Oh yeah, and where the hell is the punctuation? Shouldn't it read "it's not lame, anti-MS rhetoric"?
I mean... thats 6 words... and somehow/. editors managed to fit in about 3 mistakes in 6 words?!?
/. isn't exactly renowned for it's editing, but this seems to be a new low.
The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.

The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.

Actually this is a plus point, and exactly how they should do it. A news reporter should report, and not add his opinion to it.

Many news on/. are not *lame* anti ms rhetoric themselfs, but often times the submitters add they ""lame"" opinions to it, and many reply comments come from a feared view, so are FUD, from both sides.

I think most of the anti-ms FUDs actually hurt the OpenSource communitiy, as it looses seriousity through this. Through all the FUD avalanche the serious crimes weasel through unnoticed. In some degree some stories had their positive effect, like in example the canceled program where they tried to track people who buys pc without windows preinstalled. Constant watching and finger clapping seems to be necessary to trust bindly IS a failure, for both ms-product costumers and their competition. However we should take care to not spread pure FUD, but try to make serious stuff, and not to cry for everything, especially unprooven actions.

Yes, grammar errors make a bad impression on first sight, but actually this is just dealing superficially. I know my grammar is bad since I'm no native english speaker, and haven't yet learned better, so please spare my post from your corrections.

Is this supposed to suggest that other MS articles that are posted to/. *ARE* "lame anti ms rhetoric"?

It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".

There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)

/. isn't exactly renowned for it's editing, but this seems to be a new low.

The post also has nothing to do with the article, we're given very little info.

Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.

If you want good editing, visit Linux Weekly News at http://www.lwn.net/ [lwn.net]. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/ [kuro5hin.org]

Slashdot does a great job spreading FUD about MS and MS products. Slashdot cannot be regarded as a credible newssource for MS related stories. In fact, the amount of anti-MS FUD coming from slashdot has outgrown the amount of anti-OSS FUD coming from MS.

Hm, just looking at the front page now, there are 2 out of 2 articles that are uncomplimentary towards Microsoft, and rather true as well. The first concerns an insecure web server made by MS, and the other concerns MS's leveraging their monopoly to block third-party software that performs similar functions to MS's own software.

Slashdot cannot be regarded as a credible newssource for MS related stories.

(dripping with sarcasm) Oh, really? Did you just figure that out now, Brainiac?

I don't think it is.
But I do not see why it CAN'T be.
I just think that by putting "its not lame anti ms rhetoric" they seem to acknowledge that other MS articles posted on/. are unreliable. My point was that if they acknowledge this, why don't they do something about it?

I don't know. Frankly, the editors that post the MS articles are making fools out of themselves. Slashdot these days seems more and more about posting negative MS articles, and less about "stuff that matters."

You should come to Glasgow. They stick apostrophes everywhere, even on words that just happen to end in 's'.
Of course "shopkeeper apostrophes", where you put an apostrophe in a plural, is the favourite...

Try having a look at the Oxford EnglishDictionary; unfortunately its not availableonline unless you pay. It states that:+ "its" is the possessive form of "it"+ "it's" is an abbreviation for "it is"However, "it's" may also be written "its".Moderators, please remove the points rashly assignedto the parent post; it is firstly offtopic andsecondly wrong; unfortunately I am probably too late.

I have some experience to draw on here. While developing an internet-based payment system [perceptions.co.nz], I had to evaluate various security scenarios. The payment system is a server (Apache+PHP:) with connections to a transaction switch which is connected to a bank; a Merchant shopping site will redirect a customer to the payment page, who will make their payment there, and return a success or failure flag to the Merchant. The Merchant will tally up cash with us or with the banks in their regular settlement.

The first scenario I decided on and implemented was the similar as what Passport is using, but with the 3DES-key optional (so that Merchants with poor web coders could still participate). For the rest of this discussion, I'll only refer to the version with the DES protection.

Also, being a payment system,there was only one ever call and one return with results -- not a login and logout process.

We found that by using various SSL, cookie methods, and so on, we could get around all security flaws, but the downside is that the Merchant has an awful lot of responsibilities, including:

Verifying, encrypting and decrypting the 3DES keys

Keeping its 3DES key secure...

...which entails keeping its system totally secure from hacking

Implementing the rest of the protocol to communicate with the Passport etc. server via cookies

Generating cookies that work correctly in any version of any browser (even getting them to work correctly in one browser is a hassle!)

Detecting duplicate transactions (for example, J.Hacker does a valid purchase for $1; and records the connection, then comes back later, begins a purchase for $10000, and intercepts the connection and responds with the $1 packet)

and the list goes on. In the end I decided that while it was a security model that held together,
and if I were coding for the Merchant I could do it correctly, but there are many Merchants that would simply fail to do it right, and either have it work buggily or insecurely, or not at all, and then blame the system (or the customers would blame the system).

It's easy to say "Well, they should do it right," but when you've been in the commercial world a while, you realise just how incompetent many companies are.

In the end, tired of patching up small hole after small hole and writing merchant integration documents, I changed my mind and chose an alternative scheme which may seem harder for Merchants at first, but in fact leaves them as little room for going wrong, even if the transactions run a little slower.

Conclusion? Hack just one of the merchants involved in Passport, grab their 3DES key, and you're in and untraceable (bar the merchant actually keeping valid authentication logs and being able to follow them; in which case the worst that could happen is that they change their 3DES key). The security will deter script kiddies but a hacker with serious skills will have a field day.

"The bulk of Passport's flaws arise directly from its reliance on systems
that are either not trustworthy (such as HTTP referrals and the DNS) or assume
too much about user awareness (such as SSL). Another flaw arises out of
interactions with a particular browser (Netscape). Passport's attempt to
retrofit the complex process of single sign-on to fit the limitations of
existing browser technology leads to compromises that create real risks."

Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS [xns.org] has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed.

It might "be nice," but for whom?

Why does this info need to be on an external machine at all (other than helping Microsoft or government bureaucrats)? A browser (or an add-on) could do all that with a locally encrypted database (which can be copied or synchronized with, say, your laptop) and you don't have to expose your personal info and browsing habits to some central agency to collect, track and correlate. It need not essentially be any different than the list of bookmarks bookmarks or email addresses we already use. If you have multiple machines, you copy your bookmarks or email address book to other machines.

The commonly parroted "Passport rationale" could be equally applied to browser bookmarks or email address book and, if it had any merit, we would already have our bookmark lists and email address books on the Microsoft servers to use as they wish. We don't keep them there. And the same will apply to the Passport scam.

So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books.

The idea behind passport and a centralized approach is so that yourinformation is available EVERYWHERE. If you went to a place that has internet enabled kiosks and you wanted to access your information you would have to have synced it with this system. Using passport, or another system like this, the user doesn't have to worry about syncing at all.

Perhaps a better approach would be to create smart card tehcnology that holds this information. The biggest security risk here is losing your smart card, probably about as damaging as losing your credit card, perhaps more so, but it's realistically the only alternative. Syncing is not alternative becaus eit limits where your data can be accessed from.

Keep in mind that many of the systems Passport and Hailstorm, because the two are intrinsically intertwined, do not exist. Passport and Hailstorm could conceivably eveolve into smart card technology or PDA bsed systems that use IR or Bluetooth to communicate with each other. These two technoogies represents innovation and the future of computing systems. Let them flourish and see where they take us. Don't rip them out with the weeds because you don;t understand them.

"So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books."

The idea behind passport and a centralized approach is so that yourinformation is available
EVERYWHERE.

That is what I was asking above -- why does not that same rationale (which is commonly being peddled by Passport advocates) make users keep their email address books or bookmark lists on Microsofts or AOL servers, instead of keeping them on their local machines (and copying these lists if needed to their laptops or other machines)?

The answer is that the heavy and numerous downsides of a centralized third party database of your personal data far outweigh any minor convenience of being able, say, to email friends from a cruse ship, without that so "terribly hard" job of having to copy address book to your laptop.

While you can argue theoretically using some contrived low-probability scenarios or by tweaking your weighing of one convenience (usable "everywhere" and without needing to copy data to other computers) vs all the problems, to conclude that Passport-like schemes will take off, the only weighing that counts at the end (the hundreds of millions of email address books & browser bookmark users) has already been done and the result is: No Thanks. I would rather copy my email address book and bookmark files to my laptop than have Microsoft or government keep them for "my" convenience on their servers. The same goes for my "usernames" and my "passwords."

The Passport will take off the same way the so-called "push technology" and other such scams, disguised as the great "conveniences" for the users, took off. They are much too cheap and transparent, even for the TV zombie generations lobotomized by the PeeCee "education."

That is what I was asking above -- why does not that same rationale (which is commonly being peddled by Passport advocates) make users keep their email address books or bookmark lists on Microsofts or AOL servers, instead of keeping them on their local machines (and copying these lists if needed to their laptops or other machines)?
The answer is that the heavy and numerous downsides of a centralized third party database of your personal data far outweigh any minor convenience of being able, say, to email friends from a cruse ship, without that so "terribly hard" job of having to copy address book to your laptop.

Actually, I do keep a list of email addresses, as well as phone numbers on a Yahoo account, even though I don't use Yahoo mail. I find it hard enough to keep my work and home machines in sync, much less my non-existent laptop to take on cruise ships.

I also keep an encrypted list of passwords in a file on a central server somewhere. I do that not just because I want to access them from more than one place, but also because I want to have them if my hard disk crashes (which happens about one every three years).

The "numerous and heavy downsides" of Passport are so far entirely theoretical. I've never seen a single complaint from anyone.

The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.

Plus, i don't like the idea of my private information being the property of a corporation.

I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

Holy fsck is that ever ignorant!

Why are open-sourced foo always better than closed-sourced or company-owned foo? And why do most/.ers just accept that on faith? Sure, many great things have come out of open source, but that does not automatically qualify everything stamped with GPL/BSD/licence-du-jour or appears to have a transparent process as a Good Thing, just as not every thing published by the big-bad-company is a Bad Thing.

As it stands now, Passport exists, appears to be scalable, and works most of the time, which is a lot more than I can say for XNS. And yes, Passport has problems right now and will have problems in the future, as will XNS. It's a part of the development process which can't be avoided but at least Passport is out there now, being used, attacked, and debugged, before it or anything else becomes somewhat of a universal standard when real $$ is at stake.

And given the choice of who to fix an emergent security concern in their respective systems, would you trust the well-intentioned staff of XNS, who are either very knowledgable but potentially few and far between (cf recent slashdot and K5 outages), or somewhat knowledgable and found in abundance; or Passport, staffed 24x7 by an army of people who at least know what they are doing and are eventually liable to shareholders and business partners who have multi$billions to throw around (or not)?

XNS and anything else that comes along will necessarily have to learn from the mistakes made by Passport now, and I don't think that's a Bad Thing. As it stands right now, the afore-mentioned army of developers _who evolved the current system over 5+ years and must listen and respond to customer and partner concerns or lose business measured by six or seven zeros on a daily basis_ aren't getting it entirely right, so why would I think that an emergent cadre of excellent but not-entirely-devoted developers with comparatively zero funding can _build and maintain_ what amounts to a public infrastructure (something which doesn't lend itself well to being maintained by an entity, staffed by few enough people that they can all be killed in one incident, and without real-world liability for failure) to serve billions of people world-wide? I don't.

The situation without passport is even more insecure because:
- it relies on individual vendors to provide security for communication
- consumers trust these vendors to do so in most cases
- any vendor protocol is subject to the same security risks as passport
- most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)

Any solution that improves the current situation is a step forward. That being said, the real issue is trust and I am a bit hesitant to trust a commercial company with privacy sensitive information (this is not anti MS, I wouldn't trust Red Hat with it either). The only way I could trust a passport server would be if it were protected by laws making every kind of abuse (including using the information for marketing purposes) illegal AND if it were maintained by an organization (preferably governmental) that has no interest in abusing this information. MS fails both requirements.

Interestingly, laws for the first requirement exist in some countries. It wouldn't surprise me if MS would run into legal trouble at some point for violating such privacy protecting laws.

The situation without passport is even more insecure because:
- it relies on individual vendors to provide security for communication
- consumers trust these vendors to do so in most cases
- any vendor protocol is subject to the same security risks as passport
- most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)

Yes, but since the current system isn't centralized, a hacker can only crack one transaction or vendor at a time. With a centralized passport system, a hacker could crack one username/password and gain access to incredible amounts of information and purchasing power. Plus when the Passport servers are cracked (I think it's inevitable that they will be at some time, somehow) the consequences will be catastrophic.

no, they dont "Force" us to use these things.. But, as passport grows and more sites use it, it will be almost impossible not to have a passport account. If you want to use service X you will have to sign up with microsoft.

The example of msn/communites was just from personal experience. I am unable to communicate with many of my friends over the net cause I refuse to sign up to passport - sure its my choice, but in my oppinion they are abusing their monopoly with this.
It will become worse when many other merchants are using passport.

Option A: Do not communicate with friends, try to convince them to use Jabber or something else, or call them on the phone.

OR
Option B: Get a passport account and use MSN messenger.

Why is that monopolistic? If it were only A, then sure, I'd follow your logic.

If many merchants sign up with passport, your options will still be:

Option A: Choose a different merchant.

Option B: Get a passport account.

sure its my choice, but in my oppinion they are abusing their monopoly with this
How is that abuse of a monopoly? I dont follow your logic. You just said its your choice. Then you say they are forcing it on you. Those statements just don't mix.

I don't know if you have read anything about Windows/Office XP. In order to get them to work for more than 30 days, you have to get a passport account. This is so that MS can get the info of what machine (not Processor ID #) but what type of processor, how much ram, type and size of HD's, etc. I will give MS one good statement, they can make an awesome licence agreement, just too bad that they can't make a decent OS.

I *tried* to avoid upgrading to IE 5. I liked IE 4 and was happy with it and didn't want the extra bloat of IE 5.

I couldn't do it. Every time I turned around, something from Microsoft was installing IE 5 on my (wife's) machine (mine runs Linux and has endured over 200 infection attempts from the various Code Red variations ).

I have to use W2K and Office at work because otherwise I wouldn't be able to work efficiently with my clients and co-workers cause they insist on using MS crap.

Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)

They do it by making it impossible for a third party software to interface properly with the MS crap! They close or obfuscate data structure and APIdocumentation.

Interaction with MS-crap isn't that useful. Let's say passport got a grip on most online banks, shops, stock traders etc. I find it hard to belive that they would substitute all login possibilities with passport. You would still have the possibility to create a username and password, they might even implement non-MS open-source alternatives. For instance; at least half of all/.'ers would not use passport and that's more than 200.000 heavy Internett users and online shoppers. Our opinions are infact heard by capitalistic powers, because we're pro free, open-source alternatives.

Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)

Er... not "hard" documents. Word documents with tables don't load right, for instance. Neither do Excel documents with graphics and things like cell protection. This was a huge issue when I was applying for a Linux job through a head hunter. I mentioned I didn't have access to Office and was informed, "I don't know how you can call yourself a professional if you don't have Office." I bailed on the headhunter (and am still looking for work, halfheartedly).

I think a much better alternative to Passport is smart cards. You can think of a smart card as your own, personal, secure little "Passport server", a server that is entirely under your control, including physical control.

Passport seems to me like an attempt to centralize a service because it is highly profitable for the service provider to do so, not because it makes sense. (AOL IM is another example.)

I'll agree with people that this paper [avirubin.com] is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:

The first interesting point I noted is that while using Netscape, clicking on the Logout button for Hotmail would appear to log you out of Hotmail and redirect you to msn.com. But if you were to click the Hotmail link again, you would appear in your inbox without reauthenticating. Needless to say, this creates a major practical security flaw for non-technically-minded users (ie. the users most at risk because they don't fully understand how the whole process works) as someone on a public terminal can commandeer a previous user's Passport account by simply clicking on the Hotmail icon, hence gaining access to their account. So Passport doesn't work properly with Netscape, but works fine with Microsoft Internet Explorer Conspiracy theorists and Microsoft bashers, do what you will with that statement. The obvious solution to this problem is to use MSIE (a morally repugnant option to some in the Slashdot community), but it shows the problems that can occur when differing platforms aren't properly taken into consideration.

The central point of authenication can also prove a security risk as it provides a central point of attack. There's no real way around this particular risk as it's a long-accepted notion that the more valuable data is on a machine, the more likely it is going to be compromised (or at least, attempts are made). So to have vital information for all Passport users on a single server (correct me if I'm wrong) makes a very tasty target for hackers, crackers and anarchists the world over.

It's been a long-accepted notion that the weakest part of any security system is the people, and that includes everyone from users to sysadmins. So if you choose an obvious password (like "swordfish"), then your account is more likely to be compromised because the hacker can just guess your password, rather than employing elaborate methods (such as DNS spoofing, explained here in this SANS article [sans.org]) to compromise your account.

And finally, I'd like to point out that Passport, while having serious security flaws, is an abitious project that makes the best of existing technology. It's alright to stand up and say (or post, in this instance) that Passport is insecure but until we fundamentally change existing protocols (DNSSEC and IPSec are two suggested standards) then this is what we have to deal with.

In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.

It would be nice if proposals for global authentication services were secure.

It would be even nicer if the most popular desktop environment were reasonably secure so that we couldn't easily list attacks that start there -- corrupted hosts file, cookie harvesting, keystroke capture...

> > Passport's security model depends heavily on the Domain Name System > >
You know, this more than anything else in the article bothered me. I can see the next big wave of MS
server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine.

I can see that, but I can also see a wave of cookie-harvesting attempts. If the expiry dates on the persistent cookies used as authentication tokens is long enough (as it presumably must be, or the user would have to log in again every day), a worm that.ZIPs up a user's cookies and "phones home" by emailing the cookies to a set of randomly-pregenerated Yahoo (or for irony's sake, Hotmail) accounts, by filling out a web form (as, for instance, an AC posting to/. in a user-created forum), maybe even to an abandoned newsgroup, with bonus points for doing the USENET post through an open SOCKS proxy.

Either option is possible - the HOSTS file approach would be readily-detectable, though, and easily fixed. Whoever set up the site to which the h4x0red HOSTS file pointed would also be the obvious target for investigation. The cookie-harvesting approach would offer similar ease-of-coding for the k1dd13z, but depending on the mechanism chosen for "phoning home" (and the options available to the attacker for retrieving the messages containing the cookies, including anonymizing proxies), near-total anonymity.

As currently implemented, Passport and.NET are disasters waiting to happen, and I will entrust no confidential data with them. If my bank or broker requires their use, I will take my business elsewhere, or regress to doing my business over the phone or in meatspace.